The Security Skeptic

Ethical Hacking could be so much more than an oxymoron

11/29/2009 12:13:28 PM

Hacking generally and correctly describes the (noble) art and practice of writing software. The Jargon File defines hacking as, “engaging the act of programming enthusiastically (even obsessively)”, and a hacker as, “one who enjoys programming, and is particularly good at it.” For our purposes, we’ll  use the more accurate term cracker,  “one who breaks security on a system or network or application”. Cracking typically involves writing software specifically designed to discover and exploit flaws in someone else’s software. Not so curiously, crackers themselves prefer to be called hackers for one of two reasons, perhaps both: (1) they truly believe they write superior code – after all, didn’t they find a flaw? – and, (2) despite their tendency to perceive themselves as superior, they do not consider themselves poor, racist whites from Southern (United) States.

S000 kewl…

An unwarranted amount of time and (media) attention is devoted to cracking. In movies – War Games, MI, The ‘net – often dorky-looking cyber-teens overmatch lame-oh IT staff, bypass security measures of financial institutions and top-secret government facilities, leaving the hush-hush TLAs (three letter organizations) with zilch to hunt them down. Novelists concoct massively debilitating worms that take out Wall Street.

A respected security company once ran an ad campaign that offered us images of a mysterious, evocative blonde cracker, fully equipped with generous cleavage, a slit skirt and a laptop, the commercial leaves no doubt that she’d “get root” through cracking or her more obvious social engineering skills.

The media, fascinated with Mitnick, Abene, Draper, Levin, Poulsen, et. al., bestowed interviews and offered radio and television appearances. Some crackers were even rewarded with memberships in the editorial and journalistic inner circle, following their imprisonment.

In The Myth of Homeland Security, Marcus Ranum explains that the mystique surrounding cracking created lucrative business opportunities for “the misunderstood whiz kid… the geek-elite”. Abene began a security-consulting firm. Draper is selling an intrusion detection appliance. Mitnick’s running security conferences and doing the lecture circuit.

Marcus relates how the not-quite-geek-elite saw ways to make money doing what they did for free, without the risk of jail time – go establishment! – and how companies and government agencies eagerly sought to employ them. After all, Marcus explains, who knows more about cracking than former crackers? Still, some whitewash was needed. To legitimize cracking activities, the tech industry spawned new species of programmer, the ethical hacker. (Presumably, ethical cracker was too much an oxymoron for even members of the species to swallow.)

Ethical Hacking: Theory vs. Reality

Ethical hacking is the perceived high road of cracking, an organized and sanctioned practice of identifying vulnerabilities in software. In theory, an open community of security professionals cracks code in a virtual Petri dish, with considerable attention to prophylaxis (containment) and disclosure. Again, in theory, a vulnerability is discovered, then identified to the vendor responsible for the product, who verifies the flaw, and develops a corrective patch or workaround. The existence of the vulnerability is then disclosed to the public, which is encouraged to apply the patch or workaround.

In practice, open community ethical hacking is a train wreck, widely practiced outside these parameters, by people with ambiguous motives, using few if any formal methodologies and acceptance criteria. Moreover, vulnerability disclosure is generally an atomic event, and still mostly about the ego-rush of cracking code. Far less effort is directed at accumulating, correlating and analyzing exploit data. Such efforts might yield observations about a vendor’s software coding or quality assurance process, and so isolate the root cause of reams of flawed code. In simple terms, no holistic measures are recommended or can be deduced from the current ethical hacking process.

I asked Marcus Ranum to comment on this, and his response was, “A most important point I try to make is that there are – regardless of the results – extreme questions that can be asked about the motives of these “grey hats” Many of them appear to be doing their vulnerability research and disclosure to market themselves as consultants to to gain attention for their security start-up. Perhaps the best examples of this are security consultancies with “chief hacking officers”, who issue a constant stream of vulnerability announcements – a marketing bonanza because the naive customer is a captive audience who perceives he can’t ignore the warnings because he’ll get hacked if he does. It’s insidious.”

Commonly, vulnerabilities are publicly disclosed on mailing lists, often accompanied by the script or program employed. A vendor is typically allowed a grace period to respond, but “ethical” hackers have no problem taking a vulnerability public if the vendor fails to respond; after all, such disrespect justifies retaliation, “I notified Microsoft three weeks ago about this very important and critical vulnerability only I was able to discover and they haven’t done a damn thing, so since they disrespected me, I’m telling the world)”. This behavior is reminiscent of holding a gun to the bank teller’s head while he unlocks the safe. It’s no wonder that many of the truly committed and reputable ethical hackers I’ve spoken with recently have admitted they are quietly abandoning these groups, and now work directly for vendors. Thus, while the best of the breed are justly rewarded with contract work, the open community is left with the less experienced, more ego-driven and impatient practitioners.

Why is the reality so bleak?

The answer is simple: too much emphasis on the hacking, too little emphasis on the ethics. Crackers and wannabes seek to build self-esteem, and measure up, through the discovery and execution of successful exploits. Marcus adds, “. They are also frequently individuals who have managed to distance themselves emotionally from the consequences of their actions. Some are so lacking in empathy (in fact, often blaming the victim for getting hacked) that they are borderline sociopaths.”

Few individuals engage in hacking for reasons other than to prove, “I am more clever than everyone around me, and can write better code than those idiots at Microsoft, Oracle, – in fact, anyone who writes code professionally – and I’ll prove it by writing an exploit that will embarrass them”. Ethical hacking affords crackers some things they crave but couldn’t always satisfy when they operated entirely outside the law: publicity, (perceived) respect, and a forum where they can be admired for their accomplishments by more than the handful of peers they might encounter at a rogue chat room. Imagine how thrilling the opportunity to issue press releases relating a critical vulnerability must be for someone craving attention. Imagine the power to say, “Here’s a bug, fix it or else!” to Microsoft… Sun… Oracle…

How to fix it

Vulnerability investigation can’t be played in the same creative sandbox as open source. Open source is an invaluable asset, but its process may be more useful for innovation than quality assurance. Formalize and legitimize the vulnerability investigation and disclosure process. Apply the same disciplines as we do to other scientific research. At the same time, apply social pressure to reduce the marketing value ascribed to cracking. Television specials acclaiming the artistic value of graffiti worsened an already sorry situation, can’t we learn from this?

Create formal processes, gather and analyze vulnerability data: Common Vulnerabilities and Exposures initiatives are but baby steps to where we need to go.

Government agencies and privately held companies can and should share the expense, since both will benefit from a process designed to improve software development and qualification processes. Some might argue that software manufacturers ought to be doing this already. I can’t entirely disagree, but I also can’t help but conclude after 30 years of watching (and regretfully, contributing) poorly written software that software needs an Underwriters’ Laboratories of its own.

Vet the individuals involved. Individuals involved should be serious and committed to mitigating exploits in software, able to set ego and personal ambition aside. This may be the hardest task of all.

Perhaps not. Perhaps all we need to do is adjust the noise to signal ratio. Emphasize the ethical and maybe we restore the honorific [2] to hacking.

If you enjoyed this article, you may also enjoy Security Hats: Black Hats or White Hats, There’s No Grayscale

[2]In a reply posted to me on an email list, Karl Auerbach mentioned, “The word “hacking” has had a long and positive history. The negative connotations are latecoming additions to the word. To many of us, it is still an honorific.” It fits, and deserves attribution.